-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
4.14.0
-
Moderate
-
No
-
False
-
Description of problem:
Observation from CISv1.4 pdf: 1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive “Ensure that the API server pod specification file has permissions of 600 or more restrictive. OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server. The OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. The Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 600.” To conform with CIS benchmarksChange, the pod specification file for the kube-apiserver /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml files should be updated to 600. $ for i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name ) do oc exec -n openshift-kube-apiserver $i -- \ stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml done 644 644 644
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-07-20-215234
How reproducible:
Always
Steps to Reproduce:
1. 2. 3.
Actual results:
The permission of the pod specification file for the kube-apiserver is 644.
Expected results:
The permission of the pod specification file for the kube-apiserver should be updated to 600.
Additional info:
PR: https://github.com/openshift/library-go/commit/19a42d2bae8ba68761cfad72bf764e10d275ad6e
- blocks
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
-
RHEA-2023:7198
rpm
